Typical user authentication systems and procedures use passwords to authenticate the identity of the user. In many instances, Web sites are authenticated using SSL (Secure Sockets Layer) or other protocols. SSL is a protocol for securely transmitting information via the Internet. When using SSL, a Web site is authenticated via its certificate. The user seeking access to the Web site is then authenticated by username and password.
Although passwords are commonly used to authenticate users, passwords are subject to various attacks, such as phishing attacks, social engineering attacks, dictionary attacks and the like. Typically, longer passwords with combinations of letters and numbers provide a higher level of security. However, these longer passwords are more difficult for users to remember. Additionally, passwords provide a single factor of authentication by requiring the user to provide something they know. This factor does not provide any physical authentication of the user's identity. Thus, any person can access the user's Web-based accounts and information if they gain knowledge of the user's password and username. Additionally, anyone with knowledge of a user's password can initiate transactions (e.g., purchase transactions and fund transfers) without the user's permission.
Another potential threat that occurs when using passwords is commonly referred to as “Man in the Browser” attacks. These types of attacks involve malicious software applications (malware) running in the internet browser while the user is logging on to a web site or performing a financial transaction.
One of the implementations of this attack is to get access to user's password when the user provides their password to the internet browser. After this point malware can conduct any type of malicious action with the user's account.
Another example of a “Man in the Browser” attack is to modify the transaction information on the fly and dupe the user by encouraging them to confirm a transaction which they didn't intend to confirm. The malware residing in the internet browser has full access to all graphical user interface parts of the browser (window, text, etc.) and may change them whenever necessary. Therefore, it's important to not trust the browser user interface when conducting important financial operations or when logging in to a web account.
Therefore, it is desirable to provide a user authentication method and system that offers a more secure authentication of the user, and more secure transactions, than commonly used password-based systems and methods.
Throughout the description, similar reference numbers may be used to identify similar elements.